chore: release master

[github-actions]

Automated release PR. Merging publishes a new tag and triggers the binary + Docker builds.

0.7.0

0.7.0 (2026-05-30)

Features

• atty-guard,sandbox: --ebpf-mode flag + 50-ebpf-loader scenario (#337) (5009e3d)
• atty-guard: #347 PR 1 — kernel-side warn-mode (no EPERM + warn_pids) (#358) (69e46c7)
• atty-guard: #347 PR 2a — SubscribeWarnEvents RPC + broadcast infrastructure (#359) (d32a565)
• atty-guard: #347 PR 2b — ringbuf consumer thread + sandbox scenario 54 (#360) (0acd596)
• guard: atom-fetcher caps + opt-in commit pinning (#208) (98103d7)
• llm: Alt+R now opens a picker overlay listing all persisted dialogs (#241) (47c5417)
• llm: Alt+R recalls the most recent persisted dialog (#240) (22ad943)
• llm: auto-defocus inline chat on dialog action=exec (#170) (0df3727)
• llm: basic markdown → ANSI SGR renderer for chat panel (#179) (e3b7cf7)
• llm: bind Shift+Up/Shift+Down to chat_scroll_up/down (#237) (165e6bf)
• llm: chat panel footer + End-snaps-to-tail (#182) (1acfded)
• llm: chat panel model indicator + Alt+M gate (#174) (133e20e)
• llm: chat panel UX — emoji width, word wrap, multi-line input, resize (#175) (a7c4aa9)
• llm: chat surface defaults to dialog + Alt+T auto toggle + chrome polish (#180) (c65381d)
• llm: Claude-code-style question UX in chat overlay (#214) (7f0b25d)
• llm: Claude-code-style question UX in chat overlay (#224) (7f0b25d)
• llm: collapse observation turns to a line-count stub in the inline panel (#344) (d2bb481)
• llm: fenced-action protocol + lenient parser (#177) (9502c19)
• llm: per-dialog NDJSON persistence — auto-save every turn (#238) (9e9b4ff)
• llm: per-mode + multi-provider via providers array (#169) (afd887b)
• llm: per-row chat scroll windowing (closes #213) (#242) (c25d44b)
• llm: render question pick-list in inline chat panel (#308) (#324) (2b39922)
• llm: render SGR colors in full-size chat observation turns (#311 Part B) (3f67b5e)
• llm: render SGR colors in full-size chat observation turns (partial #311) (#325) (3f67b5e)
• llm: show first user line in Alt+R recall picker (#328) (1493064)
• llm: subprocess provider — claude -p and friends (#158) (74c2a05)
• llm: subprocess session continuation (#166) (4d11401)
• llm: subprocess streaming output (stream-json) (#165) (f6af0a8)
• llm: subprocess wall-clock timeout enforcement (#164) (3a12df9)
• mouse: #304 PR 4a — SGR 1006 mouse-event parser (#362) (067eb04)
• mouse: #304 PR 4b — onMouseClick dispatch hook + MouseAction (#363) (8dd7b03)
• mouse: #304 PR 4c — proxy stdin intercept + Mouse config subsystem (#364) (def559c)
• mouse: #304 PR 4d — emit DECSET SGR-1006 on startup, pop on exit (#365) (df56882)
• mouse: #304 PR 4e — path-detector helper (pure, tested) (#366) (54ed5bf)
• mouse: #304 PR 4f — mouse_links module wiring (#367) (9fef863)
• mouse: #304 PR 4g — mouse_urls module with whitelist trust gate (#368) (86e0f12)
• mouse: #304 PR 4h — ask_each banner + session-trust (final) (#369) (f5c72eb)
• sandbox: 4 core scenarios — install, cross-UID, sudo atoms, auto-Block (#335) (c41f678)
• sandbox: 62-onnx-fallback — fail-closed posture for explicit Tier-2 ONNX (#342) (1ba9c21)
• sandbox: docker-based e2e scenario harness with smoke test (#334) (9fb3742)
• sandbox: eBPF scenarios 51 + 52 + kernel-side image build (#348) (fbbc407)
• sandbox: ONNX scenarios 60 + 61 + per-scenario image override (#346) (81a8d05)
• sandbox: real-incident replay scenarios 70 / 71 / 72 (#355) (45eff39)
• sandbox: scenario docker-config typo guard + securityfs probe split (#343) (9fb81dd)
• security_guard: #209 — atom-fetcher drift detection + pin-init bootstrap (#243) (79983a8)
• security_guard: #347 PR 3 — Alt+Shift+W warn-event dump (#370) (a7ecc3b)
• security_guard: #347 PR 3 — atty-side warn subscriber + status segment (#361) (e37b1d0)

Bug Fixes

• Fix: (f87cbb1)
• atty-guard: audit batch 2 — Rust bugs (trust_store, threat-map, log redaction, atom OOM) (#307) (a20c23b)
• atty-guard: bound write_locks + sweep stale tmp files (closes #251, #252) (#321) (8b4e79f)
• atty-guard: graceful SIGTERM/SIGINT/SIGHUP handling (#276) (#314) (7b4fc7f)
• atty-guard: harden sudo_target_uid against env injection (#271) (#301) (cd2a90b)
• atuin: bounded record FIFO, threshold-only sync timing, joined final sync (#027 #028 #030) (#261) (13e9093)
• audit batch 1 — Zig bugs (#286, #287, #288) (32af600)
• audit batch 1 — Zig bugs (worker, proxy, history) (#306) (32af600)
• audit batch 3 — security MEDs (live-tracking warn, LLM endpoint ANSI sanitize) (#309) (30ca068)
• guard: --config load failures now exit non-zero (#231) (30541fd)
• guard: --config load failures now exit non-zero (was fall-open) (30541fd)
• guard: authorize set_threat_level — non-root callers limited to own PIDs (#188) (d1619f9), closes #187
• guard: bounded thread pool + idle read timeout (#193) (1c84f34)
• guard: canonicalize socket path for lock so symlink aliases collide (#218) (a91ae2c)
• guard: cap + prune OSV lookup cache (#233) (a4996aa)
• guard: drop ProtectProc=invisible — incompatible with set_threat_level auth (#206) (2fdba32)
• guard: honor [tier2] backend in config (cli > config > default) (#232) (f87cbb1)
• guard: network.conf drop-in for osv-live + atoms-fetch (#195) (fc369c3), closes #187
• guard: post-merge review-fixups for PRs #231 / #232 (#234) (af6ce63)
• guardrail: re-check rules on mixed-chunk Enter (#269) (#299) (2361eb1)
• guard: single-instance flock guard on socket startup (#192) (5543bcc)
• line_state: preserve cursor across mid-line delete syncFromCapture (#239) (9da0845)
• llm: Alt+Shift+C opens an empty overlay instead of refusing (#236) (3c821f1)
• llm: cap concurrent orphan HTTP fetches to bound resource leak (#219) (4cc2c9a)
• llm: chat panel UX — divider repaint on cycle + drop 3-row truncation (#176) (6e1bd79)
• llm: chat shortcuts back into statusbar + bump response/turn byte caps (#184) (6efe797)
• llm: clear cached chat cursor on exec completion (#303) (#323) (c61264f)
• llm: conclusion banner wraps multi-line reason instead of right-drifting (#178) (9ee294d)
• llm: done-action reason truncated at parse + chat-mode render (#212) (f9f2b00)
• llm: enforce HTTP timeout_ms via sub-thread + watchdog (#190) (24286ea), closes #187
• llm: heap-allocate chat_overlay_buf for unbounded turn content (#221) (cdb3128)
• llm: heap-allocate chat_overlay_buf so long-reason turns don't overflow (cdb3128)
• llm: inline .done reason — reserve 2 cols for ✓ prefix in wrap budget (#217) (6766465)
• llm: inline .done reason — reserve 2 cols for ✓ prefix in wrap budget (6766465)
• llm: kill subprocess process group on timeout (#194) (ea3d537)
• llm: recall picker arrow keys + auto-close inline panel on Alt+R (#318) (#322) (c1494be)
• llm: seek to end of large persist file (#191) (f6755ba)
• proxy: drop shell-fired CPR replies that leak through DsrParser gate (#235) (bc83b69)
• proxy: shell-alt-screen TUIs (k9s, vim, less) see Esc on first press (#181) (a214dbc)
• proxy: shell-alt-screen TUIs see Esc on the first press (a214dbc)
• security_guard: #022 + #023 — atoms list --fetched + drop stale libonnxruntime refs (#250) (3f6ef37)
• security_guard: #024 + #025 — serialize trust-store writes, retain cap-blocked hashes (#248) (d013073)
• security_guard: clear daemon threat mark when local state clears (#230) (52810e4)
• security_guard: close UDS fd on classify timeout (#272) (#302) (47ca882)
• security_guard: decouple config parsing from tier2-onnx feature (#032) (#266) (ad10374)
• security_guard: fail-closed on explicit ONNX backend load failure (#026) (#260) (a91b390)
• security_guard: forward context to atty-guard daemon classify (#189) (fd837c7)
• security_guard: OSV checks all installed packages, not just the first (#029) (#262) (c2a0bc9)
• security_guard: parse daemon ok/error envelopes for mutation RPCs (#207) (4bede99)
• security_guard: PID-threat verdict worst-wins escalation (#268) (#273) (fb6c269)
• security_guard: reject non-hex hashes in TrustCache add (#270) (#300) (b2ac5b2)
• statusbar: re-assert DECSTBM when inline TUIs clobber it (#249) (#253) (ffc7100)
• TOCTOU defense in slaveIsHiddenInput + clear desyncs chat state (#283, #305) (#313) (5749511)

Performance

• line_state: bulk-append printable runs in applyInput (#289) (#319) (4c3d758)
• llm/paint: swap page_allocator for stack-backed FBA (#285) (#316) (f47682a)
• llm: chat input fast-path — skip scrollback rewalk on typing (#186) (b8d687a)
• llm: unify stream-json result + session_id walkers (#172) (ee2d377)

Refactor

• atty-guard: extract dispatch arms into per-request handlers (#280) (9ae6134)
• atty-guard: extract dispatch arms into per-request handlers (closes #280) (#326) (9ae6134)
• atty-guard: split atom_fetcher into per-domain submodules (closes #281) (#327) (114463a)
• atty-guard: split atom_fetcher.rs into per-domain modules (#281) (114463a)
• llm: dynamic per-response buffers (lifts inline fixed-size reservation) (#185) (e069eaa)
• main: extract inline shell snippets to src/snippets/ (3f0356e)
• main: extract inline shell snippets to src/snippets/ files (#315) (3f0356e)

Documentation

• atuin: refresh provider/architecture/modules docs for FIFO + sync + delete (#033) (#267) (7b6651c)
• audit batch — V-table refresh + paint skip semantics (closes #298) (#320) (9506e1c)
• audit batch 5 — fix doc drift across atty + atty-guard (#298) (e175050)
• audit batch 5 — partial doc drift fixes (#298) (#312) (e175050)
• getting-started: git-clone install path, promote shell-rc, safer demo (#352) (b23db11)
• guard-design: sweep stale 'next step' + LOLBAS + atom-path claims (#198) (6450623)
• guard: correct status drift — V2-B / V2-C / V2-F / V2-I all shipped (5269ccb)
• guard: correct status drift — V2-B/C/F/I all shipped (#220) (5269ccb)
• guard: rewrite README security model section (#196) (60e0f3d)
• install: threat-model paragraph for the atty group (#298) (5dc6a9a)
• install: threat-model paragraph for the atty group (partial #298) (#317) (5dc6a9a)
• llm: catch up on fenced-action protocol + new chat bindings (#183) (9a706ab)
• llm: renderOverlayTurnContent arena comment matches impl (#222) (b5594a6)
• modules: correct atty-guard socket path + user-unit reference (#197) (413131b), closes #187
• providers: correct vi-mode hjkl mechanism — model desync, not uncertain flag (4aa37d6)
• providers: correct vi-mode hjkl mechanism (#223) (4aa37d6)
• providers: tab completion with OSC 133 (#171) (67fa354)
• proxy: state-machine diagram for run() phase order (partial #298) (d597fb6)
• refresh stale Atuin defaults + atom-refresh help + OSC 133 roadmap (#031) (#263) (cfb8f2b)
• refresh stale claims across READMEs + sandbox + integration (#357) (09f63af)
• security_guard: document UDS hot-path blocking contract (#282) (#310) (378de4b)
• shared terminal_example component + LLM page demo (#354) (6d1718d)
• sweep — mouse stack (#304) + warn-mode overlay (#347) (#371) (a9acc91)

---

This PR was generated with Release Please. See documentation.